lp:~mvo/snapd/+git/snapd-mvo

Author: Michael Vogt
Author Date: 2024-02-03 15:30:18 UTC

interfaces: add usb-id for GoTrust Idem Key 1C

I just meet some really nice people at FOSDEM asking me about
support for their fido2 key. It looks like the key (GoTrust Idem Key
1C) is not currently in the allow-list. This commit adds it.

Given how popular these keys are and how fast they change I wonder
if we should provide some way to provide the key ids via apparmor
overrides (maybe it's already possible and I forgot?).

Author: Michael Vogt
Author Date: 2023-10-17 07:35:51 UTC

snapcraft: move to core20 and build deb bits with pbuilder-dist for xenial

Author: Michael Vogt
Author Date: 2023-10-12 10:56:51 UTC

snapdtool: simplify InternalToolPath() (thanks to Samuele)

Author: Michael Vogt
Author Date: 2023-10-10 13:54:34 UTC

WIP

Author: Michael Vogt
Author Date: 2023-10-09 09:25:49 UTC

WIP

Author: Michael Vogt
Author Date: 2023-09-28 15:17:36 UTC

WIP

Author: Michael Vogt
Author Date: 2023-09-25 08:32:09 UTC

run-tests: do not write __pycache__ dir

Author: Michael Vogt
Author Date: 2023-09-21 15:35:51 UTC

build-aux: stay at core20 for now

Author: Michael Vogt
Author Date: 2023-09-15 19:49:22 UTC

release: 2.60.4 (#13200)

Author: Michael Vogt
Author Date: 2023-09-15 18:52:12 UTC

release: 2.60.4

Author: Michael Vogt
Author Date: 2023-09-13 09:11:19 UTC

tests. add regression test for LP#2034056

Author: Michael Vogt
Author Date: 2023-09-13 07:22:51 UTC

tests: enable "snap run --strace" test on UC22

The most recent work on `strace-static` with the `--uid` and `--gid`
switch fixes the segfault.

Author: Michael Vogt
Author Date: 2023-09-11 12:29:17 UTC

snapfile: show more context when a snap file header cannot be read

There was a recent salesforce case where a invalid snap was
downloaded but because the error from the snapfile only contains
the "bytes" representation it was not clear right away that
the header was actually a json error like: `{"err...`.

This commit tweaks the error so that more context (15 bytes)
are displayed and they are also displayed as quoted string
not only as bytes.

Author: Michael Vogt
Author Date: 2023-09-07 07:28:07 UTC

apparmor/notify: remove IoctlRequestBuffer.{Bytes,Len}()

The IoctlRequestBuffer is just a type alias for a []byte so the
helpers to get the bytes or the len from it is so trivial it can
be removed.

Author: Michael Vogt
Author Date: 2023-09-06 09:59:36 UTC

tests: increase memory limit for snapd during the tests to 200M

Tests are flaky with the MemoryMax=150M, we saw recently failures
around e.g.the `tests/main/microk8s-smoke:edge` test, e.g.:
```
2023-09-06T07:36:43.0524017Z [ 560.495582] snapd invoked oom-killer: gfp_mask=0x101cca(GFP_HIGHUSER_MOVABLE|__GFP_WRITE), order=0, oom_score_adj=-900
```
Lets increase the memory limit to make things less flaky.

Author: Michael Vogt
Author Date: 2023-09-06 07:00:07 UTC

apparmor: simplify IoctlRequestBuffer

The `IoctlRequestBuffer` is currently a struct with a single
`[]byte`. This means it might equally be just an alias type
with the needed methods.

Author: Michael Vogt
Author Date: 2023-09-05 16:24:46 UTC

tests: fix system-usernames-missing-user multiline MATCH

This test failed with:
```
2023-09-05T12:51:25.0650751Z + echo 'Then the snap cannot be installed'
2023-09-05T12:51:25.0651128Z Then the snap cannot be installed
2023-09-05T12:51:25.0651591Z + MATCH 'cannot add user/group "snap_daemon": group exists and user does not'
2023-09-05T12:51:25.0652024Z + snap install --edge test-snapd-daemon-user
2023-09-05T12:51:25.0652503Z grep error: pattern not found, got:
2023-09-05T12:51:25.0653135Z error: cannot install "test-snapd-daemon-user": cannot ensure users for snap
2023-09-05T12:51:25.0653797Z "test-snapd-daemon-user" required system username "snap_daemon": cannot
2023-09-05T12:51:25.0654381Z add user/group "snap_daemon": group exists and user does not
```
This is because of the line breaks that are added in the error
and that MATCH only matces a single line. This commit fixes it
by changing the \n to normal spaces in the error message before
doing the match.

Author: Michael Vogt
Author Date: 2023-09-05 16:24:46 UTC

tests: fix system-usernames-missing-user multiline MATCH

This test failed with:
```
2023-09-05T12:51:25.0650751Z + echo 'Then the snap cannot be installed'
2023-09-05T12:51:25.0651128Z Then the snap cannot be installed
2023-09-05T12:51:25.0651591Z + MATCH 'cannot add user/group "snap_daemon": group exists and user does not'
2023-09-05T12:51:25.0652024Z + snap install --edge test-snapd-daemon-user
2023-09-05T12:51:25.0652503Z grep error: pattern not found, got:
2023-09-05T12:51:25.0653135Z error: cannot install "test-snapd-daemon-user": cannot ensure users for snap
2023-09-05T12:51:25.0653797Z "test-snapd-daemon-user" required system username "snap_daemon": cannot
2023-09-05T12:51:25.0654381Z add user/group "snap_daemon": group exists and user does not
```
This is because of the line breaks that are added in the error
and that MATCH only matces a single line. This commit fixes it
by changing the \n to normal spaces in the error message before
doing the match.

Author: Michael Vogt
Author Date: 2023-09-04 16:15:03 UTC

many: add "content" snap mounts as early as "overmounts"

As outlined in LP#2034056 it looks like the current mounts when
mixing content snaps and layouts can be confusing and error prone.

One issue here is that snap-update-ns does not handle "content"
snap content special and they may get mounted pretty late, i.e.
after snap-update-ns created the "layout" bind mounts already.

This commit fixes this by adding "content" mounts to the list
of `newIndependentDesiredEntries` in snap-update-ns - those
are mounted before the other entries. An alternative (or
addition) is probably to add them to sorting so that
```
overmount > content > layout > other
```

Author: Michael Vogt
Author Date: 2023-08-30 06:37:30 UTC

gadget: fix typos in installSuite (thanks to Miguel)

Author: Michael Vogt
Author Date: 2023-08-27 18:46:30 UTC

squashfs,snapstate: unpack individual files with -no-xattrs

When unpacking individual files in squashfs.go we should do
so with `-no-xattrs` because this call will otherwise break
on fedora systems that use security.selinux xattrs that can
only be modified as root.

This commit fixes unit test failures when running on e.g
Fedora.

Author: Michael Vogt
Author Date: 2023-08-28 06:52:51 UTC

packaging: update BuildRequires to include test requirements

This commit adds some missig BuildRequires that will be needed
to pass the unit tests.

Author: Michael Vogt
Author Date: 2023-08-28 06:22:14 UTC

snap: fix TestParseQuotas when no snapd.socket is avilable

The TestParseQuotas was hitting the /v2/quota/<group> endpoint
and with no snapd available it would hang forever. This commit
fixes this by adding the missing fake handler.

Author: Michael Vogt
Author Date: 2023-08-25 17:02:30 UTC

release: 2.60.3 (#13124)

Author: Michael Vogt
Author Date: 2023-08-25 16:39:01 UTC

release: 2.60.3

Author: Michael Vogt
Author Date: 2023-08-24 13:27:10 UTC

apparmor: disable vendoring again

This is similar to 9ad372eae0, apparmor vendoring is disabled
again because it breaks user with non-home homedirs or users
that require tunables from /etc.

See also:
https://forum.snapcraft.io/t/upgrade-snapd-from-2-59-5-to-2-60-2-gives-apparmor-denied-on-app-launch-for-every-app/36492
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2032668

Author: Michael Vogt
Author Date: 2023-08-04 12:32:56 UTC

release: 2.60.2 (#13063)

Author: Michael Vogt
Author Date: 2023-08-21 10:47:10 UTC

WIP

Author: Michael Vogt
Author Date: 2023-08-17 08:51:32 UTC

tests: tweak system-usernames to only change snap.yaml when needed

Author: Michael Vogt
Author Date: 2023-08-16 16:31:23 UTC

cmd: detect if -Wno-missing-field-initializers is needed

Older versions of gcc are buggy and will give incorrect errors when
using `-Wmissing-field-initializers`. This is true on e.g. 14.04
and 16.04. However this is relatively straightforward to detect
and the configure.ac snippet in this commit will take care of it.

Author: Michael Vogt
Author Date: 2023-08-16 16:13:01 UTC

snap-seccomp: use open/read instead of fopen/fread in seccomp-support.c

Author: Michael Vogt
Author Date: 2023-08-16 14:23:54 UTC

snap-confine: workaround bug in gcc from 14.04

The gcc (4.8.4) in 14.04 will not compile the following code:
```
 struct sc_seccomp_file_header hdr = {0};
```
and will error with:
```
snap-confine/seccomp-support.c: In function ‘sc_apply_seccomp_profile_for_security_tag’:
snap-confine/seccomp-support.c:246:9: error: missing braces around initializer [-Werror=missing-braces]
  struct sc_seccomp_file_header hdr = {0};
         ^
snap-confine/seccomp-support.c:246:9: error: (near initialization for ‘hdr.header’) [-Werror=missing-braces]
```

to workaround this a pragma is added.

Author: Michael Vogt
Author Date: 2023-08-14 07:07:17 UTC

cmd: remove -W{no-,}missing-field-initializers

With `-Wextra` the `-Wmissing-field-initializers` is already included
so removing `-Wno-missing-field-initializers` is enough.

Author: Michael Vogt
Author Date: 2023-08-04 10:16:53 UTC

release: 2.60.2

Author: Michael Vogt
Author Date: 2023-08-04 11:39:03 UTC

snap-confine: extract helper from sc_join_preserved_{per_user,}_ns

The tiobe quality check found that we have some duplicated code
in sc_join_preserved_ns() and sc_join_preserved_per_user_ns().

Given that the code is relatively nested and important this
commit extracts two common helpers that will fix most of
the duplication and makes the code also (IMHO) more readable.

Author: Michael Vogt
Author Date: 2023-08-03 16:09:13 UTC

osutil: rename EnsureUserGroup->EnsureSnapUserGroup

Author: Alfonso Sanchez-Beato
Author Date: 2023-07-17 10:01:17 UTC

tests/core20-early-config: make sure to configure any ethernet

The name of the interface is enp0s2 in some cases instead of ens3.

Author: Michael Vogt
Author Date: 2023-07-27 16:18:58 UTC

snap-{seccomp,confine}: replace global seccomp filter with template

The global.bin seccomp filter was written before we had support for
explicit deny rules in snap-seccomp. With these rules we can replace
the hard to followup logic of the global filter and just make the
rules part of the standard seccomp template.

The global rules are best summarized in this comment:
```
struct scmp_arg_cmp no_tty_inject = {
    /* We learned that existing programs make legitimate requests with all
     * bits set in the more significant 32bit word of the 64 bit double
     * word. While this kernel behavior remains suspect and presumably
     * undesired it is unlikely to change for backwards compatibility
     * reasons. As such we cannot block all requests with high-bits set.
     *
     * When faced with ioctl(fd, request); refuse to proceed when
     * request&0xffffffff == TIOCSTI. This specific way to encode the
     * filter has the following important properties:
     *
     * - it blocks ioctl(fd, TIOCSTI, ptr).
     * - it also blocks ioctl(fd, (1UL<<32) | TIOCSTI, ptr).
     * - it doesn't block ioctl(fd, (1UL<<32) | (request not equal to TIOCSTI), ptr); */
    .arg = 1,
    .op = SCMP_CMP_MASKED_EQ,
    .datum_a = 0xffffffffUL,
    .datum_b = TIOCSTI,
};
sc_err = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), sys_ioctl_nr, 1, no_tty_inject);
```
and the same for `TIOCLINUX`.

Author: Michael Vogt
Author Date: 2023-07-31 08:12:32 UTC

arch: fix incorrect architecture name in `arch.Endian()`

The go and Debian/Ubuntu architecture names are extremly close and
there was a typo in one of them (i386->386). In addition to fixing
the typo this commit also includes a list of known architectures
from the go source directly to ensure this change is correct.

There is no exported list of available architectures so it had to
be copied. There is `go tool dist list` which will list all
supported combinations of os/arch but the downside of using this
is that when architecture support gets dropped in the future the
test would start failing for no good reason.

Author: Michael Vogt
Author Date: 2023-07-28 18:44:17 UTC

review feedback

Author: Michael Vogt
Author Date: 2023-07-28 13:56:57 UTC

tests: fix snap-seccomp test on 14.04

Author: Michael Vogt
Author Date: 2023-07-26 17:42:03 UTC

snap-confine: fix missing \0 after readlink

The readlink() call does not add a terminating \0. Because orig_cwd
is not initialized this can lead to silent corruption (as was
observed in PR#13014.

Author: Michael Vogt
Author Date: 2023-07-25 12:24:26 UTC

client: fix TestClientExportSnapshotSpecificErr naming

Co-authored-by: Miguel Pires <miguelpires94@gmail.com>

Author: Michael Vogt
Author Date: 2023-07-21 07:43:10 UTC

Revert "snap/mount: discard namespace and retry if updateSnapNamespace fails (#12541)"

This reverts commit 5ea6820282bf1781787d31c444e857a9db9e700b.

Samuele noticed that there might be issues when a snap is forcefully
updated. So the changes from PR#12541 may need to be reverted.

Author: Michael Vogt
Author Date: 2023-07-20 20:01:56 UTC

disks: fix copy/paste error in mockdisks.go

The loop is about `KernelDeviceNode` but the code checks
for `KernelDevicePath`. This looks like a copy/paste error
from the previous looe` but the code checks
for `KernelDevicePath`. This is a copy/paste error
from the previous loop. Includes a unit test.

Author: Michael Vogt
Author Date: 2023-07-20 19:52:47 UTC

assertstate: fix nil access in checkConflictsAndPresence

The code checks that `as` is of type `asserts.ValidationSet`. Hower
when it is not the (nil) value of the failed type assertion is
used in the error. So if this ever is hit it would causes a crash.

Author: Michael Vogt
Author Date: 2023-07-20 17:48:35 UTC

daemon: fix crash when a non-model assertion is sent /v2/model

A remodel with an assertion that is not a model assertion will
currently crash the daemon. This commit fixes this and adds a
test.

Author: Michael Vogt
Author Date: 2023-07-20 17:35:53 UTC

interfaces: fix missing error return in kvm

Author: Michael Vogt
Author Date: 2023-07-19 17:39:05 UTC

boot: fix redundant error check in markSuccessful()

This commit removes an error check that is unnecessary. No new
error is created here and err is already checked 4 lines above.

Author: Michael Vogt
Author Date: 2023-07-19 17:35:57 UTC

systemd: fix incorrect err handling in ensureMountUnitFile()

The ensureMountUnitFile() was not handling errors from
osutil.EnsureFileState() correctly. This commit fixes this and
adds a unit test.

Author: Michael Vogt
Author Date: 2023-07-19 17:10:51 UTC

devicestate: fix missing err assignment in cleanupRecoverySystem

Author: Michael Vogt
Author Date: 2023-07-19 16:06:19 UTC

preseed: remove unneeded error check after sd.EssentialSnaps()

There is no need to check `sd.EssentialSnaps()` as it does not
return an error.

Author: Michael Vogt
Author Date: 2023-07-19 14:54:09 UTC

snap: fix incorrect undo debug timings

The undo part of the debug timings had an incorrect `if` statement
and missed a test. This commit fixes this.

Author: Michael Vogt
Author Date: 2023-07-19 14:20:00 UTC

osutil: fix broken {old,new}Dir.Sync() in AtomicRename()

The AtomicRename() code was assigning {old,new}Dir only inside
the `if !snapdUnsafeIO{}` block which means that the
`{old,new}Dir.Sync()` calls never happend.

Author: Michael Vogt
Author Date: 2023-07-19 13:25:29 UTC

seed: fix ValidateError output

The variable `first` is never changed so the `else` part is never
taken. This commit fixes this and adds a unit test.

Author: Michael Vogt
Author Date: 2023-07-19 13:21:08 UTC

daemon: remove unreachable code

Author: Michael Vogt
Author Date: 2023-07-18 10:23:03 UTC

osutil: make EnsureDirStateGlobs() deal with subdirs

Author: Michael Vogt
Author Date: 2023-07-17 15:04:15 UTC

snapcraft.aml: make shapeshift more robust

Author: Michael Vogt
Author Date: 2023-07-17 19:18:19 UTC

Merge remote-tracking branch 'upstream/master' into wait-cli-improvements

Author: Michael Vogt
Author Date: 2023-07-17 11:20:08 UTC

tests: make `strace-static` channel point to beta

The current strace-static edge channel is unhappy so let's switch
to `--beta` until this is fixed.

Author: Michael Vogt
Author Date: 2023-07-14 13:42:23 UTC

gadget: fix TestMountVolumesLazyUnmount after master branch update

Author: Michael Vogt
Author Date: 2023-07-12 14:45:58 UTC

snapcraft.yaml: pull in apparmor optimization patches from Alfonso

The added apparmor patch `parser: replace dynamic_cast with is_type
method` will speed up profile generation by 30%.

Author: Michael Vogt
Author Date: 2023-07-12 14:45:58 UTC

snapcraft.yaml: pull in apparmor optimization patches from Alfonso

The added apparmor patch `parser: replace dynamic_cast with is_type
method` will speed up profile generation by 30%.

Author: Michael Vogt
Author Date: 2023-07-10 09:44:03 UTC

interfaces: update comments about `no-expr-simplify`

This commit is a followup for the comments in the review for
PR#12918 [1]. As snapd is no longer using `no-expr-simplify`
all reference in the code got updated.

The `AddParametricSnippet()` that was originally introduced to
avoid exponential memory growth with the parser is still useful
and needed because the measurements in PR#12943 show that
multiple lines with overlaping patterns will slow down the
apparmor_parser when running with default `expr-simplify`.

The comments are updated accordingly in this commit.

[1] https://github.com/snapcore/snapd/pull/12918#pullrequestreview-1499831667

Author: Michael Vogt
Author Date: 2023-07-10 09:05:08 UTC

install: extract unmount helper function

In the review of PR#12939 extracting a common helper for unmounting
was suggested. This commit extracts a new `unmountWithFallbackToLazy`
helper that first tries to do a normal unmount and then falls
back to `syscall.MNT_DETACH` which is the same as `umount --lazy`.
It will ensure the mountpoint will be released in the kernel once
there are no longer any processes keeping it busy.

Author: Michael Vogt
Author Date: 2023-07-07 07:19:31 UTC

Merge remote-tracking branch 'upstream/master' into fix-yaml-issue-666

Author: Michael Vogt
Author Date: 2023-07-06 07:48:49 UTC

release: 2.60.1 (#12950)

Author: Michael Vogt
Author Date: 2023-07-04 19:20:10 UTC

release: 2.60.1

Author: Michael Vogt
Author Date: 2023-07-04 12:56:29 UTC

snap-bootstrap: print version information at startup

We got asked to print the version information of snap-bootstrap
during the boot to help the enablement/field team to know if
they are using the right version of snap-bootstrap.

This is a small commit that archives this. It uses the logger
so quiet boot will also be honored.

Author: Michael Vogt
Author Date: 2023-07-04 11:33:44 UTC

Merge remote-tracking branch 'upstream/master' into spread-test-ensure-apparmor-status

Author: Michael Vogt
Author Date: 2023-07-04 11:14:57 UTC

luks2: use cmdErr in osutil.OutputErr()

Author: Michael Vogt
Author Date: 2023-07-04 10:11:18 UTC

install: improve logging on install failure

Author: Philip Meulengracht
Author Date: 2023-07-04 08:32:20 UTC

i/policy: fix unit tests for snapd-observe

The interface is restricted and has both plug/slot

Author: Michael Vogt
Author Date: 2023-07-03 13:57:53 UTC

github: run arm/arm64 tests on github action too

There was a recent build failure because we do not test arm/arm64
automatically for each PR. This commit adds running the arm/arm64
unit tests by default using qemu-static-user.

Author: Michael Vogt
Author Date: 2023-07-03 13:40:37 UTC

gadget: fix install test on armhf

The default cipher/keysize on armhf is different from the other
platforms. This commit ensures this is taken into account in
the `testEncryptPartitions()` test.

Author: Michael Vogt
Author Date: 2023-06-28 13:49:27 UTC

release: 2.59.5+screenly2

Author: Michael Vogt
Author Date: 2023-06-26 16:22:14 UTC

tests: add test that explores `apparmor_parser {,no-}expr-simplify`

When apparmor_parser is used with `-O no-expr-simplify` it can
go into a expoential memory/cpu usage pattern when there are
lines with `/**/`. We dealt with that in the past by adding
special helpers like `AddParametricSnippet`, see 9c74887908b.

But it seems we have reached the limits for this now as we have
various interfaces that e.g. contain `/sys/devices/**/.../**` like
patterns which when combined seems to cause issues that make the
parser easily consume more than 1G of memory.

This commit has an example snap that combines some of the problematic
interfaces and demonstrates that it cannot be compiled with less
than 900M (the real number is probably closer to 1G) when
`no-expr-simplify` is used. It then shows that it does work with
the default apparmor options.

Author: Michael Vogt
Author Date: 2023-06-26 17:01:46 UTC

go.mod: run go mod tidy (thanks to Miguel)

Author: Michael Vogt
Author Date: 2023-06-26 13:51:46 UTC

many: stop using `-O no-expr-simplify` in apparmor_parser

We recently ran into a real world profile bug where the option
`-O no-expr-simplify` causes a 10x increase in apparmor_parser
runtime and memory usage [1] that breaks existing customers.

The decision to use `-O no-expr-simplify` was taken in 2014 [2]
and the profiles back then where simpler. This commit will
make some profile generation slower but it will avoid going
into the exponential memory usage when compiled with
`apparmor_parser -O no-expr-simplify`.

[1] https://bugs.launchpad.net/snapd/+bug/2025030
[2] https://bugs.launchpad.net/ubuntu-rtm/+source/apparmor/+bug/1383858

Author: Michael Vogt
Author Date: 2023-06-23 09:46:00 UTC

daemon: add TODO

Author: Michael Vogt
Author Date: 2023-06-15 15:43:28 UTC

release: 2.60 (#12894)

Author: Michael Vogt
Author Date: 2023-06-15 15:15:41 UTC

release: 2.60

Author: Michael Vogt
Author Date: 2023-06-15 10:10:59 UTC

README.md: fix typo (thanks to Graham)

Author: Michael Vogt
Author Date: 2023-06-14 14:14:17 UTC

Merge pull request #26 from olivercalder/apparmor-prompting-permission-handling-backend

prompting/storage: added per-permission decision handling

Author: Michael Vogt
Author Date: 2023-06-13 10:49:01 UTC

interface: partly revert network-control apparmor change (ee7e554)

This commit reverts the commenting out of the rule:
```
mount options=(rw, rslave) /,
```
This was broken in apparmor 3.1.4 but got fixed in 3.1.5.

Author: Michael Vogt
Author Date: 2023-06-12 16:27:36 UTC

WIP

Author: Michael Vogt
Author Date: 2023-06-12 11:27:03 UTC

devicestate: do not use the proxy for device-service on proxy errors

When a `proxy.store` is used together with a `device-service.url`
snapd will try to acquire the serial assertion via the proxy
store.

If there was any error from the proxy store snapd would historically
just ignore the proxy store and use the `device-service.url` directly.

However this behavior is not neccessarily correct as the proxy may
just be down or configured incorrectly. So this was changed [1] but
existing customers depend on the old behavior.

For a real fix we need a way to express that a proxy store should
be used in general but that it should not be used for the
`device-service.url`. This is not possible to express right now
and needs design.

So as a short term fix this commit restores the old behavior.

[1] https://github.com/snapcore/snapd/pull/12593/files#diff-def3111c6efb66814e58452672900286c18087b637548fcee28c321ada4a2b6c

Author: Michael Vogt
Author Date: 2023-06-12 10:46:26 UTC

devicestate: add new proxy.ignore=device-service-url option

Author: Michael Vogt
Author Date: 2023-06-12 07:26:13 UTC

go.mod: test build with github.com/mvo5/secboot@select-cbc-on-slow-armhf-uc22

Test build of snapd with `go.mod` trickery to replace the regular
secboot with https://github.com/snapcore/secboot/pull/257

Author: Michael Vogt
Author Date: 2023-06-06 11:10:21 UTC

interfaces: fix `network-control` rule for apparmor 3.1.4

It looks like some changes in apparmor 3.1.4 cause issues with
the existing network-control rules. It appears the rules are
stricter now.

Thie commit updates the rules to match the new behavior, see
also https://bugs.launchpad.net/apparmor/+bug/2023025

Author: Michael Vogt
Author Date: 2023-06-06 08:27:21 UTC

spread: add apparmor version as part of the debug output

Author: Michael Vogt
Author Date: 2023-06-05 14:20:15 UTC

Merge remote-tracking branch 'upstream/master' into gpio-control-platform

Author: Michael Vogt
Author Date: 2023-06-05 10:09:16 UTC

tests: ensure account-control works with common-auth using pam modules

During the review of PR#12860 we found that when using account-control
with pam modules that use "lockout" is not tested.

This commit adds a test.

Author: Michael Vogt
Author Date: 2023-06-05 10:45:37 UTC

tests: ensure account-control works with common-auth using pam modules

Author: Michael Vogt
Author Date: 2023-06-05 08:45:14 UTC

github: fix/simplify `go fmt` check

It looks like the format check in the static tests got broken when
we moved to go 1.18. It was most likely missed because the code
does not check for `1.13` but uses a regexp `1\.13`.

This commit fixes this and also simplifies the code around this
so that on the next move to a newer go-version we have an easier
time finding the version.

Author: Michael Vogt
Author Date: 2023-05-27 07:45:35 UTC

release: 2.59.5

Author: Michael Vogt
Author Date: 2023-05-27 07:45:35 UTC

release: 2.59.5

Author: Michael Vogt
Author Date: 2023-05-25 18:22:37 UTC

tests: fix snap-seccomp-blocks-tty-injection on 32bit systems

Author: Michael Vogt
Author Date: 2023-05-25 18:22:37 UTC

tests: fix snap-seccomp-blocks-tty-injection on 32bit systems

Author: Michael Vogt
Author Date: 2023-05-24 08:58:54 UTC

snap-confine: add `tmpfs` mount rule to apparmor profile

After a fresh boot with the lunar proposed kernel 6.2.0-23.23 with the
snapd from `edge/prompting` revision 19342 and 19399 (and the apparmor
userspace build from https://gitlab.com/jjohansen/apparmor.git and the
"prompt" branch). I cannot produce this with the snapd from "edge"
that vendors a slightly older version of apparmor userspace.

I got an error starting snaps:
```
$ firefox
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_9ftEd8: Permission denied
$ sudo dmesg|tail -n1
[ 43.588251] audit: type=1400 audit(1684915677.455:329): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="/snap/snapd/19342/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_9ftEd8/" pid=4741 comm="snap-confine" fstype="tmpfs" srcname="none"
```

Looking at the apparmor profiles we generate for `snap-confine` I could
indeed not find a rule that allows snap-confine to mount the scratch dir
that should be needed in `mount-support.c:sc_bootstrap_mount_namespace()`.

The relevant code looks like this:
```
 sc_do_mount("none", scratch_dir, NULL, MS_UNBINDABLE, NULL);
 if (config->normal_mode) {
  sc_initialize_ns_fstab(config->snap_instance);
  // Create a tmpfs on scratch_dir; we'll them mount all the root
  // directories of the base snap onto it.
  sc_do_mount("none", scratch_dir, "tmpfs", 0, NULL);
  sc_replicate_base_rootfs(scratch_dir, config->rootfs_dir, config->mounts);
```
and indeed `strace` confirms this mount is taking place:
```
[pid 15281] mount("none", "/tmp/snap.rootfs_w5Tw1R", "tmpfs", 0, NULL) = -1 EACCES (Permission denied)
```

Manually adding the following rule to the `snap-confine` profile:
```
    mount fstype=tmpfs none -> /tmp/snap.rootfs_*/,
```
and
```
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19342
```
made snaps work again.

This is puzzling because AFAICT the rule is really missing and the mount
should be denied but it's only denied with the vendored userapce from
the `edge/prompting` snap.